Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 10th March 2006, 02:06
bjmg bjmg is offline
Junior Member
 
Join Date: Mar 2006
Location: Püttlingen, Saarland, Germany
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via ICQ to bjmg
Thumbs up [2.2.0] My patch for more secure passwords

Hi,

as promised here is my patch for more secure passwords.
It now uses a correct md5 encryption and a better salt (more secure) for the standard encryption (DES).
Also .htpasswd files are generated with MD5 encryption (if enabled). This is completely new.
The mailuser backend now also supports MD5 encryption. This is completely new too.

I hope I did not make any mistakes. At least I think the code works good.

To patch your installation you have to do the following:
copy the file in the attachment to /home/admispconfig/ispconfig
run the command: patch --dry-run -p1 -i secure-passwords.txt
If there was NO error run the command:
patch -p1 -i secure-passwords.txt
That's it!

Before I forget it:
DON'T TRUST ANY EXTERNAL CODE WITHOUT PROOF READING IT.
(And not in any case if it changes something on encryption functions.)

Bernhard
Attached Files
File Type: txt secure-passwords.txt (4.2 KB, 399 views)
Reply With Quote
Sponsored Links
  #2  
Old 10th March 2006, 09:01
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,045
Thanks: 826
Thanked 5,384 Times in 4,231 Posts
Default

Hi Bernhard,

thanks for the patch! We will review it and merge it in SVN if everything works as expected.

Till
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 28th March 2006, 15:56
olaus olaus is offline
Junior Member
 
Join Date: Feb 2006
Posts: 20
Thanks: 0
Thanked 0 Times in 0 Posts
Default

hello,

does that code also affect the passwords for the web-login ( stored in mysql isp_isp_kunde:webadmin_passwort ) ?
those are anyway more vulnerable than the ones in /etc/shadow because mysql-access rights are enough to read them.

ciao
arnim

Quote:
Originally Posted by bjmg
as promised here is my patch for more secure passwords.
It now uses a correct md5 encryption and a better salt (more secure) for the standard encryption (DES).
Also .htpasswd files are generated with MD5 encryption (if enabled). This is completely new.
The mailuser backend now also supports MD5 encryption. This is completely new too.
Reply With Quote
  #4  
Old 28th March 2006, 16:05
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,045
Thanks: 826
Thanked 5,384 Times in 4,231 Posts
Default

Quote:
Originally Posted by olaus
does that code also affect the passwords for the web-login ( stored in mysql isp_isp_kunde:webadmin_passwort ) ?
those are anyway more vulnerable than the ones in /etc/shadow because mysql-access rights are enough to read them.
These are totally different passwords.

The password in the field isp_isp_kunde:webadmin_passwort is an md5 encrypted password of the client for the ISPConfig web interface. Do not mix them up with the /linux) user passwords this thread is about.

The client passwords are encrypted with totally different algorithms so they are not affected bythe issue described in this thread. Also we can not store passwords in /etc/shadow that we need for authentication in the web interface.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 14:29.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.